According to researchers at Endor Labs, a supply chain attack has compromised the widely used LiteLLM Python library on PyPI, with malicious code introduced into versions 1.82.7 and 1.82.8, which have since been removed. The package is used in AI and developer environments and is estimated to see approximately 95 million downloads per month, significantly expanding the potential impact.
The malicious releases contained credential-stealing malware, including a .pth file that executes automatically when Python starts, allowing attackers to collect SSH keys, cloud credentials, API tokens, and environment variables from affected systems. In some cases, the malware also attempted to access Kubernetes secrets and deploy persistent backdoors on compromised machines.
The incident has been linked to the TeamPCP threat group, which previously targeted software supply chains, and is believed to be connected to earlier compromises involving developer tooling. Researchers reported that the attackers used compromised publishing credentials to distribute the malicious packages, with claims that data may have been collected from hundreds of thousands of affected devices.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Every third-party dependency is a trust decision. The LiteLLM compromise demonstrates what happens when that trust is granted by default and at scale.
“TeamPCP did not need to attack LiteLLM directly. They compromised Trivy, a vulnerability scanner running inside LiteLLM’s CI pipeline without version pinning. That single unmanaged dependency handed over the PyPI publishing credentials, and from there the attacker backdoored a library that serves 95 million downloads per month. One dependency. One chain reaction. Five supply chain ecosystems compromised in under a month.
“The pattern is instructive. TeamPCP has exclusively targeted security adjacent tools. A vulnerability scanner, an infrastructure as code analyzer, and now an LLM proxy that handles API keys by design. These tools run with broad access because that is how they function. Compromising one hands the attacker every credential and secret that tool was trusted to touch.
“This incident forces a broader conversation about how organizations treat their dependency graph. Zero trust has been applied to users, devices, and networks. Dependencies deserve the same scrutiny. Every imported library, build tool, and CI plugin carries implicit trust that is rarely evaluated with the same rigor applied to a new network connection or user account. At enterprise scale, this creates compounding technical debt where a single compromised package can cascade across the entire environment.
“The cost of building capability in house has dropped significantly. Organizations have more options to reduce their dependency surface than they did even two years ago. Dependencies that were once unavoidable are now choices. Where a third party library handles sensitive credentials, routes API traffic, or runs inside a build pipeline, organizations should be asking whether the risk of importing that dependency outweighs the cost of building and maintaining the capability internally. For the dependencies that remain, strict service level agreements, continuous verification, and the same zero trust posture applied to any other external input are the minimum standard.
“The dependency graph is part of the attack surface. Treating it as anything less is how cascading compromises happen.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The LiteLLM incident is a textbook example of “blind-trust” engineering, where the convenience of a one-line install command outweighs basic cryptographic integrity. The business impact here is a complete loss of environment isolation, as a single unverified pip install can transition an attacker from a developer’s terminal to the core of a Kubernetes cluster in seconds.
“We should care because the industry’s reliance on public repositories without local hash verification or “lockfiles” has effectively turned the Internet into an unvetted production dependency. This breach succeeded because many organizations treat PyPI as a trusted internal mirror rather than a public, high-risk source of untrusted code.
“To remediate this, defenders must move beyond reactive patching and enforce the use of signed software bills of materials (SBOMs) and private package registries that require mandatory hash pinning and pre-install scanning. If your CI/CD pipelines are pulling directly from the public Internet without validating a requirements.txt against known-good hashes, you have effectively outsourced your root access to anyone who can phish a single package maintainer.
“Installing unvetted packages from the Internet is essentially the digital equivalent of eating a sandwich you found on the subway and being surprised when you get food poisoning.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“The LiteLLM compromise reflects an accelerating pattern: attackers using compromised publishing credentials to inject malicious code into widely used libraries, turning trusted dependencies into distribution mechanisms for credential-stealing malware.
“What makes incidents like this dangerous is the scope of access they expose. Cloud credentials, API tokens, and Kubernetes secrets don’t just represent a single point of compromise. They create pathways into the broader infrastructure those credentials connect to.
“This is the pattern organizations need to plan for. The initial compromise is rarely where the real damage happens. It’s where the attack chain begins.”
Ryan McCurdy, VP of Marketing, Liquibase:
“Incidents like this are a reminder that in the AI era, software supply chain risk is expanding faster than most control models. When widely used developer and AI tooling is compromised, the blast radius can move quickly across credentials, cloud environments, and production systems.
“The lesson for enterprise teams is bigger than any one package: governance has to extend across how change is introduced, validated, promoted, and audited. Speed without control is not modernization. It is exposure.”
Blind trust in anything is a bad thing. This is example of why that is a bad thing. And why companies need to trust but verify. Or simply not trust at all.
Like this:
Like Loading...
Related
This entry was posted on March 25, 2026 at 4:25 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
LiteLLM supply chain attack compromises PyPI package
According to researchers at Endor Labs, a supply chain attack has compromised the widely used LiteLLM Python library on PyPI, with malicious code introduced into versions 1.82.7 and 1.82.8, which have since been removed. The package is used in AI and developer environments and is estimated to see approximately 95 million downloads per month, significantly expanding the potential impact.
The malicious releases contained credential-stealing malware, including a .pth file that executes automatically when Python starts, allowing attackers to collect SSH keys, cloud credentials, API tokens, and environment variables from affected systems. In some cases, the malware also attempted to access Kubernetes secrets and deploy persistent backdoors on compromised machines.
The incident has been linked to the TeamPCP threat group, which previously targeted software supply chains, and is believed to be connected to earlier compromises involving developer tooling. Researchers reported that the attackers used compromised publishing credentials to distribute the malicious packages, with claims that data may have been collected from hundreds of thousands of affected devices.
Jacob Krell, Senior Director: Secure AI Solutions & Cybersecurity, Suzu Labs:
“Every third-party dependency is a trust decision. The LiteLLM compromise demonstrates what happens when that trust is granted by default and at scale.
“TeamPCP did not need to attack LiteLLM directly. They compromised Trivy, a vulnerability scanner running inside LiteLLM’s CI pipeline without version pinning. That single unmanaged dependency handed over the PyPI publishing credentials, and from there the attacker backdoored a library that serves 95 million downloads per month. One dependency. One chain reaction. Five supply chain ecosystems compromised in under a month.
“The pattern is instructive. TeamPCP has exclusively targeted security adjacent tools. A vulnerability scanner, an infrastructure as code analyzer, and now an LLM proxy that handles API keys by design. These tools run with broad access because that is how they function. Compromising one hands the attacker every credential and secret that tool was trusted to touch.
“This incident forces a broader conversation about how organizations treat their dependency graph. Zero trust has been applied to users, devices, and networks. Dependencies deserve the same scrutiny. Every imported library, build tool, and CI plugin carries implicit trust that is rarely evaluated with the same rigor applied to a new network connection or user account. At enterprise scale, this creates compounding technical debt where a single compromised package can cascade across the entire environment.
“The cost of building capability in house has dropped significantly. Organizations have more options to reduce their dependency surface than they did even two years ago. Dependencies that were once unavoidable are now choices. Where a third party library handles sensitive credentials, routes API traffic, or runs inside a build pipeline, organizations should be asking whether the risk of importing that dependency outweighs the cost of building and maintaining the capability internally. For the dependencies that remain, strict service level agreements, continuous verification, and the same zero trust posture applied to any other external input are the minimum standard.
“The dependency graph is part of the attack surface. Treating it as anything less is how cascading compromises happen.”
Noelle Murata, Sr. Security Engineer, Xcape, Inc.:
“The LiteLLM incident is a textbook example of “blind-trust” engineering, where the convenience of a one-line install command outweighs basic cryptographic integrity. The business impact here is a complete loss of environment isolation, as a single unverified pip install can transition an attacker from a developer’s terminal to the core of a Kubernetes cluster in seconds.
“We should care because the industry’s reliance on public repositories without local hash verification or “lockfiles” has effectively turned the Internet into an unvetted production dependency. This breach succeeded because many organizations treat PyPI as a trusted internal mirror rather than a public, high-risk source of untrusted code.
“To remediate this, defenders must move beyond reactive patching and enforce the use of signed software bills of materials (SBOMs) and private package registries that require mandatory hash pinning and pre-install scanning. If your CI/CD pipelines are pulling directly from the public Internet without validating a requirements.txt against known-good hashes, you have effectively outsourced your root access to anyone who can phish a single package maintainer.
“Installing unvetted packages from the Internet is essentially the digital equivalent of eating a sandwich you found on the subway and being surprised when you get food poisoning.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“The LiteLLM compromise reflects an accelerating pattern: attackers using compromised publishing credentials to inject malicious code into widely used libraries, turning trusted dependencies into distribution mechanisms for credential-stealing malware.
“What makes incidents like this dangerous is the scope of access they expose. Cloud credentials, API tokens, and Kubernetes secrets don’t just represent a single point of compromise. They create pathways into the broader infrastructure those credentials connect to.
“This is the pattern organizations need to plan for. The initial compromise is rarely where the real damage happens. It’s where the attack chain begins.”
Ryan McCurdy, VP of Marketing, Liquibase:
“Incidents like this are a reminder that in the AI era, software supply chain risk is expanding faster than most control models. When widely used developer and AI tooling is compromised, the blast radius can move quickly across credentials, cloud environments, and production systems.
“The lesson for enterprise teams is bigger than any one package: governance has to extend across how change is introduced, validated, promoted, and audited. Speed without control is not modernization. It is exposure.”
Blind trust in anything is a bad thing. This is example of why that is a bad thing. And why companies need to trust but verify. Or simply not trust at all.
Share this:
Like this:
Related
This entry was posted on March 25, 2026 at 4:25 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.